From: Dave Jones <davej@redhat.com>
To: Tang Chen <tangchen@cn.fujitsu.com>
Cc: tglx@linutronix.de, mingo@redhat.com, hpa@zytor.com,
akpm@linux-foundation.org, zhangyanfei@cn.fujitsu.com,
guz.fnst@cn.fujitsu.com, x86@kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 2/2] numa, mem-hotplug: Fix array index overflow when synchronizing nid to memblock.reserved.
Date: Tue, 28 Jan 2014 10:24:57 -0500 [thread overview]
Message-ID: <20140128152457.GB16534@redhat.com> (raw)
In-Reply-To: <1390899916-23566-3-git-send-email-tangchen@cn.fujitsu.com>
On Tue, Jan 28, 2014 at 05:05:16PM +0800, Tang Chen wrote:
> The following path will cause array out of bound.
>
> memblock_add_region() will always set nid in memblock.reserved to MAX_NUMNODES.
> In numa_register_memblks(), after we set all nid to correct valus in memblock.reserved,
> we called setup_node_data(), and used memblock_alloc_nid() to allocate memory, with
> nid set to MAX_NUMNODES.
>
> The nodemask_t type can be seen as a bit array. And the index is 0 ~ MAX_NUMNODES-1.
>
> After that, when we call node_set() in numa_clear_kernel_node_hotplug(), the nodemask_t
> got an index of value MAX_NUMNODES, which is out of [0 ~ MAX_NUMNODES-1].
>
> See below:
>
> numa_init()
> |---> numa_register_memblks()
> | |---> memblock_set_node(memory) set correct nid in memblock.memory
> | |---> memblock_set_node(reserved) set correct nid in memblock.reserved
> | |......
> | |---> setup_node_data()
> | |---> memblock_alloc_nid() here, nid is set to MAX_NUMNODES (1024)
> |......
> |---> numa_clear_kernel_node_hotplug()
> |---> node_set() here, we have an index 1024, and overflowed
>
> This patch moves nid setting to numa_clear_kernel_node_hotplug() to fix this problem.
>
> Reported-by: Dave Jones <davej@redhat.com>
> Signed-off-by: Tang Chen <tangchen@cn.fujitsu.com>
> Tested-by: Gu Zheng <guz.fnst@cn.fujitsu.com>
> ---
> arch/x86/mm/numa.c | 19 +++++++++++--------
> 1 file changed, 11 insertions(+), 8 deletions(-)
This does seem to solve the problem (In conjunction with David's variant of the other patch).
Dave
next prev parent reply other threads:[~2014-01-28 15:25 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-28 9:05 [PATCH 0/2] numa, mem-hotplug: Fix array out of boundary in numa initialization Tang Chen
2014-01-28 9:05 ` [PATCH 1/2] numa, mem-hotplug: Initialize numa_kernel_nodes in numa_clear_kernel_node_hotplug() Tang Chen
2014-01-28 9:10 ` David Rientjes
2014-01-28 11:48 ` Ingo Molnar
2014-01-28 23:36 ` Tang Chen
2014-01-29 1:32 ` Gu Zheng
2014-01-29 7:19 ` Ingo Molnar
2014-01-28 9:05 ` [PATCH 2/2] numa, mem-hotplug: Fix array index overflow when synchronizing nid to memblock.reserved Tang Chen
2014-01-28 15:24 ` Dave Jones [this message]
2014-02-04 0:55 ` Josh Boyer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140128152457.GB16534@redhat.com \
--to=davej@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=guz.fnst@cn.fujitsu.com \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=tangchen@cn.fujitsu.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
--cc=zhangyanfei@cn.fujitsu.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.